We are in the process of implementing Alert Logic in our environment. This particular portion of the environment is behind a load balancer and firewall. In order for Alert Logic to be able to read the traffic behind the load balancer, we needed to disable Diffie-Hellman (DHE) and elliptical curve Diffie-Hellman key exchanges.
So, I did this any I am able to indeed verify that applications hosted on that server on IIS are not using DHE/ECDH.
I ran into a problem however when I am making outbound HTTPS calls from Epicor server-side functions (hosted on that server) to the internet, and I’m getting a generic handshake SSL/TLS error.
When I re-enable DHE/ECDHE, the errors go away and I can call outbound HTTPS connections to my hearts content.
This is a layered problem in that we believe the load balancer still has DHE turned on, but you’d think it would be able to negotiate downward.
All that is to say; can IIS handle inbound traffic without DHE and outbound traffic with DHE, or is it all the same since it’s at the OS level?